b'                             Department of Energy\n                                 Washington, DC 20585\n\n                                 February 22, 2007\n\n\nMEMORANDUM FOR\n\nFROM:\n                         Inspector General\n\nSUBJECT:                 INFORMATION: Audit Report on "The National Nuclear\n                         Security Administration\'s Implementation of the Federal\n                         Information Security Management Act"\n\nBACKGROUND\n\nThe National Nuclear Security Administration\'s (NNSA) mission includes maintaining\nand enhancing the U.S. nuclear weapons stockpile, reducing global danger from weapons\nof mass destruction, and providing safe and effective nuclear propulsion. To achieve its\nmission goals, the NNSA utilizes many classified and unclassified computer networks\nand individual systems. Given the sensitivity of the infonnation residing on these\nnetworks and systems, strong cyber security measures are essential for protecting\noperational, personally identifiable, and other critical data from compromise. In Fiscal\nYear 2006, NNSA officials reported that they expended just over $90 million on cyber\nsecurity in an effort to protect its information technology resources.\n\nIn September 2006, as required by the Federal Information Security Management Act\n(FISMA), the Office of Inspector General completed its annual independent Evaluation\nof the Department\'s Unclassljied Cyber Security Program 2006 (DOEIIG-0738), to\n                                                           -\n\n\n\ndetermine whether the Department\'s unclassified cyber security program adequately\nprotected its data and information systems. Specific infonnation supporting the\nunclassified cyber security report was sensitive, identified vulnerabilities by site and was\nnot, therefore, for public dissemination. Based on the September 2006 report, and at\nNNSA\'s request, we compiled this report to provide details related to specific unclassified\ninformation system vulnerabilities.\n\nRESULTS OF AUDIT\n\nThe NNSA had implemented a number of measures designed to reduce cyber security\nrisks and vulnerabilities, including strong technical controls and defense-in-depth\nmeasures. In spite of these efforts, we identified a number of deficiencies that exposed\ncritical unclassified systems to an increased risk of compromise. Specifically, we found\nthat:\n\n     Six NNSA sites had not completed or had not adequately performed certification\n     and accreditation of all operational information technology systems as required by\n     Federal regulation;\n\n                          ATTACHED REPORT CONTAINS\n                       (OFFICIAL USE ONLY) JATFORMATION\n\x0c     Action had not been taken to ensure that systems at six sites containing Government\n     financial information could continue or resume operations in the event of an\n     emergency; and,\n\n     Weaknesses in access controls, configuration management, and change controls\n     designed to protect computer resources from unauthorized modification, loss, or\n     disclosure of information initially reported in 2005 had not yet been resolved.\n\nCyber security weaknesses have been a continuing challenge for NNSA. We found that\nNNSA did not always properly implement its own guidance as well as Departmental and\nFederal cyber security requirements. In addition, NNSA had not performed regular\nmonitoring activities essential to evaluating the adequacy of cyber security program\nperformance. As a consequence, h7VSA\'s unclassified information systems and networks\nand the data they contain remain at risk of being compromised, including the possible\nunlawful diversion of operational data, personally identifiable information, or other\ncritical information.\n\nAs we observed during our recent Special Inquig~Report to the Secretary on Selected\nControls over ClasszJied Information at the Los Alumos National Laboratory (OAS-SR-\n07-0 1, November 2006), the failure to establish and enforce cyber-related controls can\nhave significant consequences. The problems with the development and enforcement of\ncyber safeguards at Los Alamos, that were the subject of our November 2006 report,\nresulted in increased vulnerabilities that could have led to the unauthorized diversion of\nclassified information.\n\nTo help address continuing weaknesses, NNSA has developed an automated Integrated\nCertification and Accreditation System which was designed to aid sites in preparing\ncertification and accreditation packages in compliance with National Institute of\nStandards and Technology and Department requirements. These efforts, if properly\nimplemented and executed could help NNSA resolve continuing cyber security\nweaknesses. However, more effort is needed in this critical area. Our report includes\nseveral specific recommendations intended to improve protective efforts across the\nNNSA complex.\n\nMANAGEMENT REACTION\n\nManagement concurred with our findings and recommendations. In particular,\nmanagement indicated that NNSA is currently in the process of updating policies, and\nwill establish an assessment team to routinely review and evaluate the implementation of\ncyber security requirements at NNSA sites.\n\nAttachment\n\ncc: Deputy Secretary\n    Administrator, National Nuclear Security Administration\n    Chief of Staff\n    Chief Information Officer, IM- 1\n    Director, Policy and Internal Control Management, NA-66\n                           ATTACHED REPORT CONTAINS\n                       (OFFICIAL USE ONLY) INFORMATION\n\x0c'